Microsoft released Patch Tuesday updates for Windows 11 (KB5034765) and Windows 10 (KB5034763, and more) earlier this week. Alongside that, the company has also issued a reminder about the impending end of optional, non-security preview updates, known as C and D releases, this month for Windows 11 version 22H2.
Another major announcement the company made is about Secure Boot. Microsoft has declared that it is beginning to roll out new Secure Boot keys (CA) from 2023 to replace the previous ones. The outgoing ones are from 2011, issued during Windows 8 when Secure Boot was first debuted by the Redmond giant. These certificates are set to be 15 years old a couple of years from now in 2026, which is when they will expire.
Certificate Authorities (CAs) or keys essentially help manage the authenticity and validity of various components like bootloaders, drivers, firmware, and various applications.
On its Tech Community blog post announcing the change, Microsoft writes:
Microsoft, in collaboration with our ecosystem partners, is preparing to roll out replacement certificates that’ll set new Unified Extensible Firmware Interface (UEFI) Certificate Authorities (CAs) trust anchors in Secure Boot for the future.
Look out for Secure Boot database updates rolling out in phases to add trust for the new database (DB) and Key Exchange Key (KEK) certificates. This new DB update is available as an optional servicing update for all Secure Boot enabled devices from February 13, 2024.
Broadly speaking, this is going to be a major update to the Secure Boot DB (Data Base) which is not updated regularly like the Secure Boot DBX. If you are wondering, the Secure Boot DBX list is essentially the revocation list containing insecure modules which is why it is called the Secure Boot Forbidden Signature Database (DBX).
Therefore, the Microsoft Corporation KEK CA 2011, the Microsoft Windows Production PCA 2011, and the Microsoft UEFI CA 2011 will all be replaced by their corresponding 2023 versions. Microsoft plans to do it in a phased manner to ensure compatibility and a bug-free rollout and wishes to complete the full process before 2026.
3 Comments - Add comment